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METHOD OF GENERATING A CRYPTOSYNC 

BACKGROUND OF THE INVENTION 
[ 0001 ] Encryption has found wide spread use in numerous fields 
• such as wireless communication, the internet, etc. The message, data, 
voice, etc. to be encrypted is ususdly referred to as the plaintext, and 
the result of the encr5rption process is referred to as the ciphertext. 
Often, the encrypting process involves perforrning an encryption 
algorithm on the plaintext to obtain the ciphertext. Many encryption 
algorithms such as DES, AES, etc. involve the use of a key in the 
encryption process. The encryption key is a bit sequence used in the 
encryption algorithm to generate the ciphertext. The encryption key is 
known at both the send and receive sides of the communication, and 
at the receive side is used to decrypt the ciphertext into the plaintext. 
[ 0002 ] One example of encryption in the wireless communication 
environment involves encrypting frames of information sent between a 
base station and a mobile station. Unfortunately, if the same 
information (i.e., the same plaintext) is sent during two different 
frames, the same ciphertext is produced. As such information on the 
ciphertext is said to have leaked. This process also permits a replay 
attack wherein a malicious attacker sends previously sent ciphertext. 
Because the ciphertext will be decrypted into plaintext as opposed to 
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mesiningless text, a replay attack can reek havoc at the receiver side of 
the communication. 

[ 0003 ] To prevent replay attacks, an encr 5 ^tion technique using a 
cryptosync has been developed. The cr3q5tosync, for example, is a 
count value incremented after each use of the ciyptos 5 mc for 
encryption. In this manner, the ciyptosync changes over time. In a 
typical use of the ciyptosync, the encryption algorithm is applied to 
the ciyptosync as if the cryptos)m.c were plaintext. The resulting 
output is referred to as a mask. The mask then undergoes an 
exclusive-or operation with the information (e.g., voice, data, etc.) for 
encryption to generate the plaintext. As with encryption keys, the 
ciyptosync is known at both the send and receive sides, and at the 
receive side is used to decrypt the ciphertext into the plEuntext. 

[ 0004 ] As will be appreciated, the cryptosync changes with each use 
such that even if the information remains the same, for example, over 
different frames of a communication session, the resulting cipheilext 
does change. 



SUMMARY OF THE INVENTION 
[ 0005 ] The present invention provides a method of generating a 
ciyptosync such as for use in a communication session between two 
communication devices. 
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[ 0006 ] If a ciyptos3nic is out of sync, lost, etc., the cryptos3mc may 
be reset. However, re-S3mchronizing a ciyptosync by setting the 
cryptos3mc to a same value each time defeats the purpose behind 
using a cr3rptosync. For example, if for each new communication 
session, the ciyptos3mc is reset to the same value or to a value that 
was used previously used while the encryption key remains 
unchanged and the same information is transmitted at the beginning 
of each communication session, then the same ciphertext may be 
generated. 

[ 0007 ] In one embodiment of the present invention, a cr3/ptos3mc for 
use such as in a communication session is derived from a second 
cryptos3mc. The second cr3qDtosync changes between communication 
sessions such that the derived cr3rptosync chemges for each 
communication session. 

[ 0008 ] In one exemplary embodiment, the ciyptos5mc is derived as 
at least a portion of the second ciyptosync. For example, the 
ciyptosync may be derived as at least a portion of the second 
ciyptosync and a fixed bit sequence. 

[ 0009 ] In another exemplary embodiment, a pseudo-random 
function is performed on the second ciyptosync, and the derived 
ciyptosync is derived from the output of the pseudo-random function. 



3 




Attorney Docket No. 29250-00201 3 /US 
Lucent Ref. Patel 23-2 



BRIEF DESCRIPTION OF THE DRAWINGS 
[ 0010 ] The present invention will become more fully understood 
from the detailed description given herein below and the 
accompanying drawings, wherein like elements are represented by like 
reference numerals, which are given by way of illustration only and 
thus are not limiting of the present invention and wherein; 

[ 0011 ] Fig. 1 illustrates the formation of a short-lived cryptosync 
from a long-lived cryptosync according to one embodiment of the 
present Invention. 



DETAILED DESCRIPTION OF THE EMBODIMENTS 
[ 0012 ] For ease of understanding and simplicity of description, the 
embodiments of the present invention will be described in the context 
of wireless communication such as according to the family of 
CDMA2000 standards. However, it should be understood that the 
methodologies described are not limited to this communication 
standard or to wireless communication. 

[ 0013 ] In wireless communication, mobile stations communicate 
with base stations over the air. A mobile station may be a mobile 
phone, wireless computer, etc. The base station services a geographic 
area; namely, services communication to and from mobile stations in 
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the geographic area. Often this communication is encr 5 rpted. In 
CDMA2000, for example, there exist several long lived keys such as a 
cipher key (CK) and an integrity key (IK) associated with a mobile 
station that are used in the encryption processes and messaging 
integrity protection processes, respectively. CDMA2000 also provides 
for, relatively speaking, a long lived ciyptos 5 mc (e.g., TX_EXT_SSEQ 
and RX_EXT_SSEQ in CDMA2000). The long-lived cryptosync (LIX^S) 
is used to encrypt and decrypt messages (e.g. , signaling messages) 
between the base station and mobile station, to verify message 
integrify, or both. After each use, the LLCS is Incremented in the 
usual fashion so that the ciphertext generated using the LLCS is 
resistant to replay attacks. Initially, upon need or request, the LLCS 
may be derived using any well-known authentication protocol such as 
set forth in CDMA2000. 

[ 0014 ] Besides the usued voice communication, CDMA2000 and 
other standards also provide for data communication (e.g., internet 
surfing, email downloads, etc.). The communication cheinnel for 
communicating information (e.g., voice, data, etc.) between the base 
station and mobile station is often referred to as the radio fink, emd 
one protocol for data communication, for example, is referred to as the 
radio link protocol (RLP), To establish an RLP communication, a 
communication charmel between the mobile station and base station 
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Is established in a well-known manner such as through message 
integrity using the LLCS. When the RLP communication ends, the 
communication channel is tom down. The time during which the 
communication channel existed for communication of information 
(e.g., voice, data, etc.) is referred to generedly as the communication 
session. 

[ 0015 ] During a communication session, several frames as defined 
by the RLP may be communicated. According to the present invention, 
each frame is encr 3 ^ted using what will be referred to herein as a 
short-lived ciyptos 5 mc (SLCS). The SLCS is short lived in comparison 
to the LLCS in that the life of the SLCS is limited to the duration of the 
communication session. Namely, as will be described in detail below, a 
value for the SLCS is newly derived for the next communication 
session. 

[ 0016 ] By contrast, the hfe of the LLCS is not limited to a single RLP 
session. For example, in CDMA2000, the natural life of the LLCS is 
tied to the duration of the cipher key (CK) and an integrity key (IK) . 

For example certain t}?pes of registration (e.g., registration at a new 
visiting location register VLR), result in a new CK and a new IK. 
Accordingly, this ends the life of the previous CK and IK, and along 
with it, the life of the LLCS associated with those keys. Additionally, 
events such as the mobile station powering down and losing the LLCS 
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may terminate the life of the LLCS. In general, however, the life of the 
LLCS extends over multiple communication sessions. Stated another 
way, the LLXDS continues In use during and after expiration of an 
SLCS. As wiU be appreciated hi detail below, the methodologies of the 
present Invention exploit this difference between the SLCS and the 
LLCS. 

[ 0017 ] The LLCS changes between communication sessions in part 
because the message used to initiate a communication session is 
integrity protected using the LLCS. As such, the value of the LLCS is 
incremented after each use, and in at least this manner, the LLCS wtU 
have a different value for each communication session. It will be 
appreciated that as a result of other uses of the LLCS, further 
incrementing of the LLCS may occur between communication sessions 
Because, as described in detail below, the SLCS is derived from the 
LLCS, the SLCSs derived for different communication sessions will 
have different values; thus, helping to prevent a replay attack. 

[ 0018 ] According to one embodiment of the present invention, the 
SLCS is derived using a portion of or the entirety of the LLCS. Fig. 1 
illustrates an example of an SLCS according to this embodiment. In 
the example shown in Fig. 1 , it is assumed that the SLCS has a length 
greater than the length of the LLCS. More particularly, the example of 
Fig. 1 assumes the case of a 64 bit SLCS and a 32 bit LLCS. As 
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shown, the most significant 32 bits of the SLCS are the 32 bits of the 
LLCS. The remaining, least significant 32 bits of the SLCS are a fixed 
bit stream. In the case of Fig. 1 , the fixed bit stream is a string of all 
Os. 

[ 0019 ] As will be appreciated, the fixed bit stream need not be all Os 
or edl Is. Furthermore, instead of using the entirety of the LLCS to 
form a portion of the SLCS, only a portion of the LLCS may be used; 
however, it will be appreciated that this may not offer the highest 
degree of protection against repeating the SLCS. 

[ 0020 ] According to another embodiment of the present invention, 
emy well-known pseudo-random function may be apphed to the LLCS. 
The result is then used to generate the SLCS. For example, the 
resulting pseudo-random number may used in the same manner as 
the LLCS in the previously described embodiment to generate the 
SLCS. Alternatively, the resulting pseudo-random number may be 
used as the SLCS. 

[ 0021 ] It will be appreciated that further numerous variations for 
deriving the SLCS from the LLCS may exist, and that these specific 
embodiments are intended to fall within the overall concept driving the 
present invention. 

[ 0022 ] Because the same LLCS is known at both the mobile station 
and base station, the same SLCS is derived for the communication 
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session therebetween. The derived SLCS is then used in the 
conventional manner to encrypt a frame of information at the send 
side (base station or mobile station) and decrypt the frame of 
information at the receive side (mobile station or base station). After 
each encryption and decryption, the value of the SLCS is incremented 
and used for encryption and decryption of the next frame. When the 
communication session ends, so ends the life of the SLCS. For the 
next communication session, the SLCS is derived anew as described 
in detail above. 

[ 0023 ] The invention being thus described, it will be obvious that 
the same may be varied in many ways. Such variations are not to be 
regarded as a departure from the spirit and scope of the invention, 
and all such modifications are Intended to be included within the 
scope of the present invention. 
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